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Accepted: 2023-01-09 process of Higher Education, primarily Academic. On the other hand, the 
sophistication of IT in SIAK develops a variety of new risks (IT Risks) that 
accompany it if not managed properly. Therefore, the maturity level of SIAK 
management determines the performance of the academic activity process. In 
SIAK, the element that determines system performance is Application Software. 
The results of this study indicate that IT Process AI-02 (Procurement of 
Application Software) Vocational Higher Education in Bandung, as measured 
based on COBIT standards, is still at the 2.1 level. This means a part/function 
(management) already handles Software Procurement but is still "Repeatable 
but intuitive." Because it is managed sporadic and only refers to leadership 
policies with limited control over IT/SIAK. From the radar chart of the research 
results, it can be seen that the prominent role of IT Process AI-02 is the aspect 
(indicator) of "Approval," "Technical Support from Vendors," and focus on 
handling the problem of "data integration" because many universities are in the 
transition period from old IT to new IT. Other indicators (COBIT requirements) 
still need to be higher (meaning they have not become a concern) when the AIS 
procurement process is carried out. 
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INTRODUCTION 

Higher education, including Vocational Higher Education today, is highly dependent on the 
existence and use of Academic Information Systems (AIS). It can even be an enabler. SIAk requires 
appropriate Information Technology that is used efficiently, which requires increasingly large 
investment funds and operational costs. Therefore, information technology must provide benefits 
that optimize the Academic Information System's (SIAK) performance. This means that SIAK must 
be managed with an adequate level of IT Governance. Managing SIAK based on the principles of IT 
governance, university management will be able to control IT risks that may arise. Starting from 
Cyber Crimes, fraud against academic databases, decreased performance of Information Systems, 
slow E-learning Systems, inefficient financial management of IT investments, and various risks that 
may arise from using SIAK from immature management. 

Previous research shows that the SIAK of most universities in Indonesia still has a relatively 
low level of information technology governance maturity (IT Maturity Level) when referring to Best 


189 


ao y PUBLISHING 
{ @, CATRA 
6 REStARcH 
INSTITUTE 
= J O T A @ P-ISSN - 2830-6392 (PRINT) 
, @ E-ISSN ~ 2962-2522 (ONLINE) 
I seeretl el Gerace, Yorotvon ova avsinn 


JOURNAL OF GOVERNANCE, TAXATION 
A AND AUDITING 


indexed By : 


aD CD 


Practice Standards such as COBIT. This means the SIAK needs to be managed systematically, 
structured, or well-documented and refers to various best practice measures. This is the reason 
(rationality) why research on IT Governance Audit of SIAK is essential, especially in IT Process AI- 
02 (Procurement and Implementation). 

COBIT is the best IT Framework today, used to manage Information Systems (and their 
elements) to achieve an optimal Maturity Level. This research is intended to measure the extent of 
the Maturity Level of IT Process AI-02, namely, "Acquire and Maintain Application Software," 
including control of existing IT Risks. 

Definition of IT Governance. IT Governance is a process of controlling the management of 
Information Technology (or Information Systems) carried out by an organization, which includes 
using IT resources such as software, Brainware, and databases for IT infrastructure. Other experts 
say that IT Governance is a management activity/ process in choosing and using decisions related 
to obtaining and using IT resources. Oltsik (2003) defines IT Governance as a set of policies, 
processes/ activities, and procedures that support the operation of IT (Information Systems) so that 
the results are in line with business strategy (organizational goals). 

COBIT Basic Concepts. COBIT, which stands for "Control Objective for IT and its related," is 
one of the instruments and frameworks created to control an Information System. Apart from being 
a reference for building and managing IT Governance (IT Management Framework), COBIT is also 
used by IT / SSI Auditors as a standard in conducting audits whose object is Information Systems. 
COBIT says that the Process of managing Information Systems (ISAK) must begin by conducting 
and determining various IT Processes (activities) covered by the "IT Planning and Organise" 
Domain. Then, it is followed by the "IT Acquiring and IT Implementation" Domain, then the "IT 
Delivery and IT Support" Domain, and ends by carrying out activities (IT processes) in the "IT 
Monitoring and IT Evaluation" Domain. 

Each IT Process is equipped with controls that measure success in carrying out these IT 
activities. Control Objective set by IT Framework COBIT consists of a High-level Control Objective 
comprising 34 pieces. Each high-level control objective comprises three to twelve detail-level control 
objectives (DCOs). 384 Detail-Level Control Objectives (DCOs) are spread across various domains. 
The Domain "IT Acquisition and Implementation (AI)" consists of six IT Processes as follows: 

AI-01 "Identify Automated Solutions" 

AI-02 "Acquire and Maintain Application Software" 
AI-03 "Acquire and Maintain Technology Infrastructure 
AI-04 "Develop and Maintain Procedures" 

AI-05 "Install and Accreditation" 

Ai-06 "Manage Changes" 

This research is focused on measuring the Maturity Value of IT Process Ai-02, namely "Acquire 
and Maintain Application Software."This IT Process is measured through qualitative data 
(interviews and observations) and then converted into quantitative data (Scoring). The IT Process 
Maturity Score is then accumulated and expressed in one number called the IT Maturity Level. The 
level of this number is as follows: 
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LEGEND FOR SYMBOLS USED LEGEND FOR RANKINGS USED 


Enterprise Current Status 0 Non-Existent — Management processes are not applied at all 
= International Standard 1 Initial — Processes are ad hoc and disorganised 
Guidelines 2 Repeatabie — Processes follow a regular pattern 
es Industry Best Practice 3 Defined — Processes are documented and communicated 
4 Managed — Processes are monitored and measured 
Enterprise Strategy 5 Optimised — Best practices are followed and automated 


Figure 1. IT Process Maturity Level Figures 


The meaning of the IT Process Governance Maturity Level Value is explained as follows: 

Level 0 (No IT management at all/Non-Existent. A condition where a university needs to be 
made aware of the importance of Information Technology Governance. Only a few COBITs are 
carried out at this College, even though it uses the Academic Information System (SIAk). 

Level 1 (Initial/Ad-Hoc). Conditions where the College has carried out some IT Processes, but 
these activities are carried out reactively (sporadically) without using standardized standards and 
routine systems. Colleges already have an Academic Information System, but it is managed without 
being supported by certain sections/units that specifically handle it. 

Level 2 (Repeatable/manageable but intuitive). Conditions where universities have 
implemented various IT processes based on COBIT standards (and have run SIAk) with 
management-based governance. However, the existing IT management needs to be better defined 
and standardized, so running it is often inconsistent (disorganization). Universities have started to 
use procedures in the AIS, but not all of them are documented, and the procedures/systems have 
not been formally socialized to related parties. There has yet to be formal training related to the 
effectiveness of the performance of these systems and procedures. The individual still determines 
implementation responsibility for the AIS (section) deemed competent to do so (IT Function). The 
highest leadership of the College has a low commitment to developing the AIS to a more mature 
level. 

Level 3 (Defined Process). Conditions where the College has formal and written standard 
procedures (documented) and has been socialized to various levels of management (and users) as 
part of daily work activities. Universities already have their own AIS management that is managed 
with good IT management (good practice). However, there is no method or reference to 
systematically measure the effectiveness of procedures/systems/management, so it is still possible 
that many deviations and errors in the IT Process are being carried out because it does not refer to 
Best Practices. 

Level 4 (Managed and measurable). The condition where Higher Education has several 
indicators or quantitative measures that are used as targets/ objectives to control the performance of 
various IT Processes carried out by SIAK, which already refers to Best Practice. There are already 
facilities to monitor and measure the effectiveness of IT procedures and management. Higher 
education can quickly find out and take the necessary actions if there is a process of using IT that is 
indicated to be running ineffectively (IT Risk). The IT process is continuously improved (learning and 
growing) and compared with best practices from similar industries. There are also tools to automate 
IT Process control and SIAK performance improvement processes. 

Level 5 (Optimistic/Optimised). A condition where the College has implemented IT 
Governance that refers to best practices optimally. The IT Process carried out by SIAK has reached 
the best level of maturity because various continuous improvements have been made, and the 
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Process of comparison (benchmarking) with other parties is the best reference (standard). Automated 
tools have been used to support workflow in managing various IT processes and the operation of SIAK. 
The College is constantly improving the efficiency and quality of performance of the various IT 
Processes that are carried out, even so flexible that they are easily adaptable to changes in 
Information Technology. 

Academic Information System (AIS). Sources of data and information currently reliable in 
supporting the management of higher education academic activities are processed by the Academic 
Information System (SIAk). The Academic Information System functions to provide all academic 
information needed by stakeholders, namely the highest leadership (top management), head of 
department (middle management), head of study program (operational management), lecturers, 
including non-managerial parties such as students, homeroom teachers, parents and heads of 
administrative fields (supporting activities). Academic Information System has become a tool 
(strategic instrument). However, as an information system, various IT risks always prevent the 
strategic goals from being achieved and can even result in losses for higher education. 

Although the Academic Information System (AIS) consists of various elements, its 
performance is primarily determined by the application software used: Whether it has features, 
menus and facilities appropriate to the College's Academic Processes. How the software is 
implemented (installed) and customized (adjusted) will determine whether the application software 
can improve the performance of the SIAK. 


METHODS 

This research uses qualitative research methods, where the data are in the form of 
opinions/ opinions of leaders of Vocational Universities (at various levels) located in Bandung City. 
The data is then converted into quantitative data using the Scoring Method (Surendro) concerning the 
COBIT Maturity Level weighting method. Respondents are leaders and users of respondent 
universities from various levels, ranging from lecturers, heads of departments, and heads of study 
programs to assistant directors and directors whose job functions and responsibilities are related 
(directly or indirectly) to SIAK, including students who are also end-users. 


INFORMATION SYSTEM AUDIT METHODOLOGY: 


. Audit Activity Planning Stage (Audit Planning) 
. Preparation of Program Audits / Working Papers 
Based on COBIT 
. Implementation of Data Collection (Evidence) in 
The Field 
- Cobit Maturity Calculation Process and 
Preparation of Audit Reports and Research 
Reports 
. Controlling The Follow-Up to the Results of 
Improvements to Recommendations 


Current IT 
governance 


(Current 
situation) 
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Figure 2. SIAK Governance Audit Methodology 


RESULT AND DISCUSSION 

The data from the questionnaires collected in this study came from 100 respondents. The 
questionnaire questions were based on the High-Level Control Objective of IT Process AI-02, which is 
defined as follows: 

"To control over the IT process of acquiring and maintaining application software that satisfies the 
business requirement to provide automated functions that effectively support the business process is enabled 
by the definition of specific statements of functional and operational requirements, and a phased 
implementation with clear deliverables..." (Source: COBIT 3” Edition: Control Objectives, 2000) 

The high-level control objective is then translated into several more detailed statements called 
Detailed control objectives (DCO). The following is the DCO statement for IT Process AI-02: 

1. If the Application software is created by the College itself (not purchased), this activity must be 
carried out using systematic and structured Application design and programming methods. 

2. New application software will generally change various aspects of the Academic Information 
System (AIS). Therefore, the relevant management must control and direct these changes well. 

3. The relevant parties must first approve the general and detailed design of each application 
software. If buying ready-made application software (in the form of Application Packages), the 
features must be adjusted (in this case, it must be in line with the Academic Information System 
of the College). 

4. If the application is self-made, the software documentation is made systematically and clearly to 
facilitate the future improvement/ development of the application. 

5. The source documents of the data to be processed by this application software must be properly 
prepared and designed. 

6. The application software must-have features that meet the needs of the Process being automated 
and make it easy for users to do so. 

7. Various Application Control elements, according to the activities being automated, should be 
covered in the application. 

8. Application Software must have passed testing based on the appropriate method/ method, and 
the relevant leadership must approve the test results. 


Table 1. Management Awareness and Achievement Score of IT Process AI-02 


No. Detailed Control Objective (DCO) AI-02 L M H anaes 

1 Effectiveness of Application Software Procurement 19% 68% 13% 19 
Procedures 

> Application Software Specification feature agreement with 16% 65% 19% 20 
End-User 

3 Existing Systems specification change procedures and 26% 48% 26% 20 
methods 

4 Approval of Application Software Specification Design 6% 42% 52% 25 
from Leadership 

5 Involvement of related parties to match the specifications 39% 45% 16% 18 
of the purchased App 

6 Design of input data source documents for new 32% 52% 16% 18 
application software 

7 Check List for feature match check New application 39% 48% 13% 1,7 

8 User-friendly factor 6% 68% 26% 2,2 
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9 Establishment of Application software procurement team 16% 61% 23% 2,1 
10 Involvement of relevant leaders to determine the features 10% 61% 29% 22 
of the Application Software 
11 Quality testing of procured (made/ purchased) 13% 58% 29% 22 
Application Software 
12 Completeness of Manual Book 13% 55% 32% 2,2 
13‘ Training for potential users of the application 16% 48% 35% 2,2 
14 = Technical support from vendors 10% 48% 42% 2,3 
15 Effective tendering procedures and mechanisms 42% 35% 23% 1,8 
16 Considering the IT Security factor of the held application 6% 65% 29% 22 
software 
17 Integration of data from Application software with legacy 6% 42% 52% 25 
system 
AVERAGE Performance Level of IT Process AI02 19% 54% 28% 2,1 


The calculation results (data processing) show that as many as 54% of higher education 
leaders say they have handled the activities/ processes of procuring Application Software quite 
well (Mediocare). Even 28% considered that the Governance of IT Process AI-02 had been done well 
and by COBIT standards. Generally, the remaining risk (Residual Risk) is only 19%, categorized as 
Low IT Risk. 

However, if analyzed partially, it can be seen that most of these Vocational Universities do 
not involve many potential users (business owners) such as Departments, Study Programs, Lab 
Heads, Lecturers, students, and other related parties in the Process of procuring Application 
Software for SIAK. The 39% figure shows that there still needs to be more user involvement as 
required in the COBIT DCO. Another exciting thing from the data findings is that 32% said there 
needed to be systematic document preparation for the procured application software. This shows 
that 84% of higher education leaders consider application software not central in determining the 
quality of academic information systems (SIAK). 

42% of universities still tender for the procurement of Application Software in a sober (low) 
less effective (when referring to COBIT). This implies that there is generally no effective 
mechanism and procedure for tendering (purchasing) Application software. The low-performance 
Value of this aspect, which is 1.8, shows that universities do not consider it essential to create a 
clear and structured mechanism related to the Application Software procurement process. Table 1 
above also shows the overall performance value of the attributes (indicators). A Total Performance 
Value of 2.1 indicates that the level of achievement of AI-02 based on the DCO of the COBIT 
standard is at the MEDIUM Level. This value means the remaining IT Risk is relatively high 
(Medium Risk). However, some other aspects that must be watched out for because they are below 
2) are as follows: 

. Effectiveness of Application Software Procurement Procedures (Performance Value 1.9) 
. Related Party Involvement (Performance Score 1.8) 
. Design of Tender Input Document for New Application (Performance Value 1.8) 
. Check List (Performance Value 1.7) 
. Tender Procedures and Mechanisms (Performance Score 1.8) 
The five attributes with performance scores below 2 have the potential to pose serious risks 
(Medium and Hgh); if not handled properly, it will have an impact on the effectiveness of SIAK. 
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PERFORMANCE VALUE CHART OF DCO AlI-02 


++*@+** DCO Performance Value A-O2 


1 Effectiveness of Application Software 
procurement procedures 


17 Data integration from application 25 2 Agreement on Application Software 
software with old systems . Specification features with End-Users 

16 Take into account the IT Security “3D-» 3 Procedures and Methods for 

Software Application factors being_. . e. changing Existing Systems... 
15 : 

15Effectivetenderproceduresand =f 4 Approval of Application Software 
mechanisms 10 ‘A Specification Design from Leadership 
Y I f related 
* - 5 Involvement of related parties to 
14Tech | t fi d . 
i ai ch ll e e match the specifications of the... 
0,0 : 
- = ‘ cE) —- 
13 Training (Training) for prospective e ’ 6 Design of input data source 
application users *. documents for new application... 
®. 7 Checklist for checki tibilit 
12 Manual Book Completeness . piciemeiatciles ae hie Piibaidaimteatitd 
of new application features 
eeoee or 
11 Testing the quality of Application e-"* 


Software ied icjested/purchased), ai 
of leadership regarding 


ppeeenlicienl Application Software... 


Involvemen 


8 Easy to use factor (User Friendly) 


9 Formation of an Application software 


procurement team 


Figure 3. DCO AI-02 Achievement Performance Value 


Figure 3 shows the leadership approval process for the Application Software procurement 
process. This means that in almost all procurements of Application Software, the focus is on the 
approval of the leadership. The risk (IT Risk) is if the College's leadership does not have sufficient 
understanding of the application software being used. 

Another interesting point is the "Technical Support" from the vendor, which is quite a concern 
for the Higher Education leaders. This indicates that most buy so that vendor support becomes one 
of the Critical Success Factors (CSF). However, on the other hand, this also creates a dependency for 
the College on the vendor. Therefore, to reduce this risk (IT RISK), it needs to be equipped with good 
Vendor Management to maintain the continuity of the operationalization of Application Software 
in its role of running the Academic Information System effectively. 


CONCLUSION 


The role of Academic Information Systems today not only causes an organization's various 
activities to be more efficient and practical but also to become an enabler to improve performance 
and provide value. The sophistication of technology that has maturely developed should make the 
main activities and functions of higher education, namely carrying out its academic activities, more 
optimal. To enable the Academic Information System to provide optimal benefits, it must be 
managed by building the right IT Governance for SIAK. COBIT is one of the IT Governance 
Frameworks that is increasingly recognized and popularly used today to optimize an information 
system's performance. Because it succeeds in identifying, defining, and mapping various IT 
processes that should naturally be carried out in medium- and large-scale organizations. Using the 
COBIT IT Framework, it is expected that the AIS can be used optimally to improve the performance 
of Higher Education, especially the Academic Process. 
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An essential element of the Academic Information System is the Application Software, which 
is the driving force. This study is measured through the measurement of the IT Process "Acquire 
and Maintain Application Software" (AI-02) as contained in the "Acquisition and Implementation" 
domain of the IT Framework COBIT. As many as 55% of higher education leaders assess this activity 
as having been carried out quite well, with a performance value of 2.1, indicating that the 
achievement level is 55% of the AI-02 "Detailed Control Objective / DCO" set by COBIT. Thus, only 
about 20% did not achieve DCO, which is in the Low-Risk (Controlled) category. This means that 
the risks accompanying the implementation of IT Process AI-02 can be handled well and maintain 
the performance of AI02. 

The Maturity Level of IT Process Ai-02 Governance shows a number 2.0, which means that IT 
Management of IT Process AI-02 has been carried out with recurring patterns (management) based 
on specific management systems and procedures. However, it is primitive (not patterned, not based 
on a clear and measurable structured method). Management of IT Process AI-02 activities is only 
carried out based on sporadic activities based on IT Projects and is driven more by the IT Function 
that technically runs it. The involvement of stakeholders, including university leaders and end- 
users, in IT Process A102 activities still needs to be improved. At the same time, the involvement of 
"business owners" such as Departments, Study Programmes, Finance Departments, Lecturers, and 
others will determine whether the application software can be used effectively or not and by the 
users' activities. 
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